House bill sets up cyber threat clearinghouse at DHS

By William Jackson

Dec 16, 2011

A new cybersecurity bill has been introduced into the House hopper, spelling out the Homeland Security Department’s authority in protecting the nation’s critical infrastructure and establishing a national clearinghouse for cybersecurity and threat information.

The National Information Sharing Organization would be a non-governmental body representing both government and industry to facilitate the voluntary sharing of information and serve as a source of expertise and assistance in incident response.

DHS would be the official “focal point” for the security of government IT systems and for regulated critical infrastructure in the private sector.

The bill, a reworking of legislation proposed earlier this month in the House, is the result of a Republican cybersecurity task force that earlier this year recommended a set of limited, near-term legislative objectives as an alternative to sweeping cybersecurity reform bills that have stalled in the current and previous sessions.

“Cybersecurity is truly a team sport and this bill gives DHS needed authorities to play its part in the federal government’s cybersecurity mission and enables the private sector to play its part by giving them the information and access to technical support they need to protect critical infrastructure,” he said in announcing the bill.

Ranking Homeland Security Democrat Bennie G. Thompson of Mississippi called the bill a step forward and said that, “while I am not prepared to give my full support to the bill at this time, there’s a lot to like in this bill. I am pleased that it gives DHS the authority and resources it needs to fulfill its cybersecurity mission instead of creating a whole new bureaucracy or complicated regulatory framework."

DHS has been designated the lead agency for cybersecurity by the administration, but so far lacks oversight authority from Congress. Under the bill, the department would be the focal point for:

Coordinating protection of government systems and critical infrastructure.

Developing and coordinating a national cyber incident response.

Facilitating information sharing and dissemination.

Integration of government and private sector operational information.

DHS would conduct ongoing risk assessments of federal IT systems and, upon request, would work with critical infrastructure systems outside government. It also would foster development and use of new security technologies, lead in a national outreach and education program.

Homeland Security will not have any new regulatory authority over industry, but would do its work with private sector systems in cooperation with sector specific agencies with regulatory authority. It would also identify and evaluate risks in each sector and evaluate security performance standards. Regulators will incorporate cybersecurity standards into existing regulatory regimes rather than creating new regulatory authorities.

That National Information Sharing Organization would have three major missions:

Facilitating the exchange of cyber threat information, best practices and technical assistance among its membership, including the government.

Facilitate the creation of a common operating picture built from information contributed by technically sophisticated members including government, Internet service providers, and other members with access to large amounts of network related information.

Act as a catalyst for cooperative research and development of member driven research projects.

NISO would be member-funded, but $10 million in federal money would be authorized for the first three years of operation.

The director of the clearinghouse would work with the Director of National Intelligence to share classified and declassified information with members. The cybersecurity industry and other sectors can share info with NISO, and information shared would be exempted from the Freedom of Information Act and disclosure laws and cannot be used in a lawsuit or for regulatory purposes.

All information sharing would be voluntary and primarily within the NISO community, although government can issue sanitized warnings to industry and the public.